CRITICAL🇵🇱 Wersja polska

CVE-2023-6181

CVSS 9.8v3.1pub. 2023-12-11upd. 2024-11-21

An oversight in BCB handling of reboot reason that allows for persistent code execution

🤖 AI Analysis
How it works

The vulnerability stems from improper handling of the 'reboot reason' field in the BCB structure, which is a memory area used for communication between the operating system and the bootloader. An attacker can exploit this oversight to inject malicious code that becomes persistent and is executed every time the device starts. This mechanism enables persistent code execution — the code survives system restarts.

Impact

An attacker can obtain persistent, unauthorized arbitrary code execution on a Google Chromecast device, potentially leading to complete device takeover, breach of confidentiality, integrity, and data availability.

Mitigation & patch

Apply patches available from the manufacturer according to references — Chromecast security bulletin from December 1, 2023, available at https://source.android.com/docs/security/bulletin/chromecast/2023-12-01. It is recommended to immediately update the firmware of Google Chromecast devices.

Who is affected

Google Chromecast and Google Chromecast Firmware — specific versions indicated in the manufacturer's references (Chromecast security bulletin from 2023-12-01)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Google Chromecast

    HW
    Google
    wszystkie wersje
  • Google Chromecast Firmware

    OS
    Google
    < 2023-10-01
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2023-48426CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność u-boot w Google Chromecast — dostęp do powłoki przez UART

CVE-2023-48417CRITICAL9.8PL ✓ten sam produkt

Brak sprawdzania uprawnień w aplikacji KeyChainActivity na urządzeniach Google Chromecast

CVE-2023-48424CRITICAL9.8PL ✓ten sam produkt

Privilege escalation poprzez podatność w U-Boot shell na Google Chromecast

CVE-2023-48425CRITICAL9.8PL ✓ten sam produkt

Podatność U-Boot w Google Chromecast umożliwiająca trwałe wykonanie kodu

CVE-2018-12716MEDIUM4.3ten sam produkt

The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding atta...